May 07, 2006

Payment systems - the explosion of 1995 is happening in 2006

The online security for World of Warcraft is a bad as it is for internet banking, and World of Warcraft has six million subscribers (more than many banks have Internet banking customers). It's just passwords. So now the phishers have provided yet another confirmation that World of Warcraft gold is a real as Sterling by launching yet another wave of phishing attacks! Now, phishing attacks on virtual worlds are hardly new, but the scale and sophistication are growing all the time.

(Dave, FTR, when was the first phishing attack on virtual worlds?) I've written before about crime in the virtual worlds. Here's more details:

A few days ago, it was reported that a new Trojan has appeared on the scene: PWS.Win32.WOW.x. Spread via email, IM, and Peer2Peer file sharing - and gamers tend to do a lot of each of these - as well as through our old friend the malicious pop-up ad that exploits Internet Explorer vulnerabilities (and you know you shouldn't be using IE, but perhaps you are a masochist), this Trojan is brilliant in its limited, precise scope. Once installed, Win32.WOW tries to steal a World of Warcraft user's name and password. Armed with that information, the criminal logs in to the user's online Warcraft account, transfers all the player's virtual property to an avatar controlled by the attacker, and then sells the property on a gray-market auction site for real money. By the time the player figures out what has happened, their character is denuded of all his goodies and the villain in this story is long gone.

(interesting military tricks at the start of that article...)

Back to the thrust of this post. Over in the telco world, everyone is madly rolling out payment systems. *Everyone*. Why? For the most part the handsets now have sufficient power to run the application, and the systems programming infrastructure is well developed (read: cheap). Also, banks are out of that scene (read: fed up) and they have problems enough in their home turf (read: phished!).

So anyone can move in and do it without the normal interference - either a startup or the telco itself.

The early experiments have been made. The errors and the mistakes are all there for the careful researcher. Enough successes exist now that you don't even need to be careful, you just need to avoid being stupid. The b-plan is simple - pick the successful system you want to emulate, change a few paramaters so you aren't in direct competition, go.

But all is not so rosey. Reports are that the phones are completely insecure as platforms. So back to Dave again:

Now that you can withdraw virtual money from real ATMs, this is only going to get worse. I'll just replay that part: now that you can withdraw virtual money from real ATMs... The first cards are going to be issued for Project Entropia. Players may now exchange their virtual world currency with real world cash using Versatel-compatible ATMs, according to Entropia developer MindArk. The cards are available exclusively through MindArk and bridge a player's in-game PED (Project Entropia Dollars) with their real (whatever that means!) bank account. The rate of exchange (10 PEDs to $1 USD), according to MindArk, is fixed.

We may be polite in other circles and pretend that Dave is speaking about games people play. But here in FC we deal in the bitter truth. He's really talking about everything. All payment systems, all sectors, businesses.

So where are we heading here?

Back in the mid 90s, David Chaum (the prof who invented digital cash) lit a firestorm of speculation pithily captured as "The End of Money." Of course that didn't happen, in fact nothing much happened at all, but it didn't stop many people jumping on the bandwaggon (until their ticket expired) or regulators rushing in or journalists writing a thousand articles.

The explosion predicted then is happening now. And it's happening in the way that was predicted back in the 1995 era. Then, it was common for cryptographers (unfinancial) to have the upper hand, saying that if we don't secure this stuff, it will turn into a catfight. So they secured everything and it bogged down.

Now, the reverse is happening. If we subscribe to GP, then we are learning to live with the red curve being a very close part of our operation - the Paypal model if you like.

We need to learn to live in a world of continual, fast moving fraud and continual, fast moving payment systems. Obviously, the regulator's nightmare, and the financial cryptographer's bane.

Unfortunately, the old players only have themselves to blame for this. The lessons from the past are quite clear. One long hard lesson is that you don't fight fraud until you can see it. Another lesson is that you launch your payment system from as far away from the banking sector and the regulators as possible, because you want it to succeed. (Pop quiz - which massive company is launching a huge payment system as far away from the banking sector as possible... today?)

You don't regulate until you have something to regulate. And it helps to have a good reason, too. So when the Europeans rushed in and tried to clamp down on this evil development, they just killed the innovation within - Digicash and the various strong smart card developments - and sent all the reserarchers off elsewhere. Yes, they reserved it for the banks, which was their intention. No, the banks didn't do it, which was what economics predicted. So the end effect was that the Europeans blew their wad. Now they have to sit back and let the world do payment systems to them.

Over in the US, the Americans had a secret weapon: Alan Greenspan. History doesn't record in detail what the living god of monetary policy was up to in the world of payment systems, but I saw the tracks everywhere. What he did was to create a decade of peace. From the early days, right up until the last few years, digital money was able to experiment and blossom in the US.

Those days came to an end with 9/11. Since then, the money transmitter regulations were used to bring all to heel. Paypal, e-gold, all those remittances that drive a non-trivial portion of the latin american economy, they all work for the man, now. And heat is being turned up:

A House subcommittee today approved legislation today banning all forms of online gambling in the
United States. To strike at offshore gambling sites, the panel authorized law enforcement officials
to stop credit card and other forms of electronic payments to those sites.

The US is repeating the errors of the Europeans in the 90s. So expect as a long term prediction to see the centre of gravity to move outside the US. Which isn't to say that Paypal won't make good money, but they won't be doing too much that is different, and they are about to become one player in a crowded market (c.f., b-plan above).

The new world for payment systems is now outside the US and outside the Europeans. The question is, where is it going?

In the past 12 months, the government of Belarus tried to clamp down on WebMoney. I am closely following news about WM, yet even I failed to notice; another testimony to the resilience of WM.
There are different opinions about the reasons (the most popular being that Lukashenko's regime perceived WM as an uncontrollable channel of opposition-financing, the most plausible being that WM provided Belarusians with defenses against monetary policies designed to rob them blind), but the fact is that WM scratch-cards are no longer on sale at subway stations, wmbelarus.com is hosted in Switzerland, and the owner of the first WM exchange in Belarus was sentenced to two years of public works.
But most importantly, a partially state-controlled bank rolled out its own digital payment system, easypay.by (which is surprisingly well-designed from a purely technical point of view). Guess what happened: wmbelarus.com set up an exchange for easypay vs. WM and easypay just replaced the shut-down infrastructure for purchasing and selling WM. Otherwise, WM circulation in Belarus keeps increasing and most of e-commerce is still done in WM.

This trick of circumventing regulation by setting up an out-of-jurisdiction exchange is not new to WM. It is the same way they defeated EU regulations by setting up a compliant issuer in Latvia and an exchange somewhere in the cyberspace (it keeps moving, but noone notices).

To their credit, Russian and Ukrainian authorities (both pre- and post-orange revolution ones) continue their hands-off approach. Meanwhile Putin's alma mater (the law school of St. Petersburg State University) is offering courses in "arbitration of on-line disputes". Sponsored by guess whom.

slightly related post in a thread about paypal and financial services offerings

it also mentions that several of the digital cash operations in the 90s were structured as a mechanism of acquiring the float on the money in the infrastructure.

in the mid-90s some number of the central banks stated that they would allow the operations to retain the float through startup phases but after that they would be required to start paying interest on the customers' value on deposit in the infrastructure.

this somewhat put a damper on some amount of digital cash ventures related to starting and operating such infrastructures (that they would not be able to count on the large float bonanza):http://www.garlic.com/~lynn/2006i.html#14

Lynn, was that in the US or in Europe? I can well imagine that Mondex were told the float would be regulated ... because they based their business case on such float capture issues and tried to reserve it to Mondex International. Such an amusing selling technique :)

Iang wrote:
> Lynn, was that in the US or in Europe? I can well
> imagine that Mondex were told the float would be
> regulated ... because they based their business
> case on such float capture issues and tried to
> reserve it to Mondex International. Such an
> amusing selling technique :)

the central banks I remember making the statement were mostly in europe. many of the "stored value" digital cash systems are at least partially based on float providing financial incentive.

one of the big issues in the early e-check operation was whether the funds would settle immediately electronically or take several days. some of the financial institutions were use to the float operation of the physical check world. this was also raised in the recent check21 mandates and how long would it take funds to actually settle.

with respect to mondex, we had been asked to design and cost an infrastructure for a national deployment ... as part of that we also did a business analysis of the financials. they were looking at charging fees for fund transfers into the card as well as loosing the float. part of this was that the float (originally) effectively all rolled up to mondex international ... so the other institutions in the infrastructure had to cover their costs by other mechanisms.